feat: show dev dependency label in terminal and HTML report

[sonukapoor]

Surfaces whether a vulnerable package is a devDependency in terminal output and the HTML report, so developers can immediately distinguish build-time risk from runtime risk.

What changed

• Yarn Classic and Yarn Berry parsers now detect dev dependencies by walking dependency paths against devDependencies in package.json. npm, pnpm, and Bun already set this correctly.
• Terminal output (compact and verbose) shows direct · dev or transitive · dev when the finding is from a devDependency
• HTML report TYPE column shows a purple direct · dev badge for devDependency findings
• serializeFinding now includes dev: boolean in its output
• No label shown when dev status is unknown (Yarn Berry, or packages reachable from both prod and dev roots)

Behaviour

A package is only labelled dev when every known dependency path to it starts from a devDependencies root. If a package is reachable from both prod and dev roots, no label is shown.

Closes #578